So, anyone hear about the bot-nuke on Runescape recently? i just visited their site for recent updates, because I do like the game, even though economy and stuff doesn't work because of... smart reverse engeneering people.

I'm not going to point fingers, I was on that team too! However, now Jagex states that they've effeciently killed 98% of the botters in their game. You can see it in the online-players count! It's insane!

I'm interested in the technology though - how does one secure his/her java application from reflection? In the case of an online game, I do not see how they can monitor the client like that. I believe they had a packet to check if everything was okay, but everything can be faked - right?

They use a new obfuscation that basically makes every method and field static and passes object contents in Object[]. It effectively kills reflection bots but I'm fairly sure something else will pop up sooner or later.

They use a new obfuscation that basically makes every method and field static and passes object contents in Object[]. It effectively kills reflection bots but I'm fairly sure something else will pop up sooner or later.

Edit: I'm not sure if I am allowed to tell that though..

I'm sure spending 5 minutes of applet decompilation would have worked this out, so I wouldn't worry too much about it. But it's interesting to hear this.

Aaaw. Natsukashiiiii... (nostalgic xD)I used to bot with SCAR, which uses a script language similar to Pascal. It's just a simple color clicker basically, but it did have some graphics drawing features (for bot feedback). SCAR was actually how I got interested in programming. After making bots for mostly random Flash games for a year or so, I made a small SNES like game where you could walk around in a very small tile world without any tutorial on how to do this. At this point my dad walked in and asked what I was doing. After explaining how I did it, he basically said "Move aside!" and installed Eclipse on my computer. o_0

That sounds alot more realistic considering how old the game is now, the 10 million active accounts figure that had been thrown around did sound way too good to be true, could be why they didn't remove the bots earlier.

Thing is, I consider bots to be a perfectly legitimate way to play the game. Bah.<edit>Also, I wonder how exactly they're going to keep all those employees in beans with a free player base of only 35k unless their conversion ratio is absolutely stunning.

Thing is, I consider bots to be a perfectly legitimate way to play the game. Bah.<edit>Also, I wonder how exactly they're going to keep all those employees in beans with a free player base of only 35k unless their conversion ratio is absolutely stunning.

Well they do have 3 announced MMO's in development which all look relatively decent. Two of them are almost done and the other is the Hasbro licensed Transformers Universe due out next year. Also the films Transformers 4 & 5 have been announced (luckily Michael Bay isn't directing them, so hopeful it'll be a proper reboot and not crappy like the first 3 films) again the tie in effect here should help sales of the Jagex MMO a little. So it does look like Jagex as a company should be OK for the next 2-3 years at least.

That sounds alot more realistic considering how old the game is now, the 10 million active accounts figure that had been thrown around did sound way too good to be true, could be why they didn't remove the bots earlier.

There are currently 72k people online, the number on the website is number of people currently online and not number of players.

That sounds alot more realistic considering how old the game is now, the 10 million active accounts figure that had been thrown around did sound way too good to be true, could be why they didn't remove the bots earlier.

There are currently 72k people online, the number on the website is number of people currently online and not number of players.

The Jagex team are apparently clueless about security. And 3D rendering.

Cas

Can you elaborate on this point, please?

If they think that obscuring the client is going to stop bots they are probably in for a bit of a shock.

Cas

I don't think that's their move, cause they've been obfuscating for years.

Of course. During my RS hacking days, people hadn't managed to decrypt much of the source code yet. The most advanced thing that had been done was basically a custom log in screen where you could enter an IP address. It basically just started the normal client but connected to the specified IP instead of the official RS servers.

That sounds alot more realistic considering how old the game is now, the 10 million active accounts figure that had been thrown around did sound way too good to be true, could be why they didn't remove the bots earlier.

There are currently 72k people online, the number on the website is number of people currently online and not number of players.

The Jagex team are apparently clueless about security. And 3D rendering.

Cas

Can you elaborate on this point, please?

If they think that obscuring the client is going to stop bots they are probably in for a bit of a shock.

Cas

I don't think that's their move, cause they've been obfuscating for years.

Of course. During my RS hacking days, people hadn't managed to decrypt much of the source code yet. The most advanced thing that had been done was basically a custom log in screen where you could enter an IP address. It basically just started the normal client but connected to the specified IP instead of the official RS servers.

Well, if they were able to modify the login-screen that means both decompiling, deobfuscating, and recompiling the source. Moparscape has been around forever.

I'm interrested in, if anyone knows how to make your java application safe from reflection, because looking at the project, that seems like a pretty hard task.

I'm pretty sure they never deobfuscated the majority of the code in the game, just the login and connect part. They probably reverse engineered the encryption though. Like I said, I'm years behind in all this.

If your design requires that the client be secure, then your design is just wrong. No amount of protection can protect client code, in any language, on any platform.

Cas

How long your game survives the constant onslaught from hackers depends on how much time you spend securing it VS how much time/resources the hacking community has. The problem is that the hacking community grows (probably not linearly) as your game gets more famous, so if it's a well known game someone's bound to hack it if it's possible.

However I disagree with your outright statement that a client should not need to be secure. The problem in Runescape's case is not only the client's security. The client obviously needs to have enough information about the game world and its objects, e.t.c, so that the player can play the game. Obviously a bot can play the game with that information too, and it can capture it by using a proxy or hijacking the network information one way or something like that. Reflection was only used to issue custom commands to the game, which is obviously doable in other ways, like injecting them into the network traffic, using a program click with the mouse, e.t.c.

The only way to enforce Cas standard client security would be to only stream the final rendered image like OnLive does.

I'm thinking more about the problem at a right angle. Why should bots be disallowed from playing at all?* Perhaps that's how I'd like to play RuneScape - making bots for it. I think the concept of an open client is a very worthy design goal.

If they think that obscuring the client is going to stop bots they are probably in for a bit of a shock.

They're not as stupid as you think. Six years ago they were pushing a reobfuscated client every week. Doesn't make it impossible to crack, but does mean that the person writing the crack really has to write an automatic crack writer.

Comparison (as of this post): JGO has 30,328 members.We have 92 people present, of whom only 4 are members.(How many of these are Bots! Oh no!)

72,000 to 10,000,000 vs. 4 to 30,328 seems comparable to me. Even vs. 92 to 30,328.

"But this is a forum, not a game. Apples & Oranges." I guess. But I've spent a lot of time here, more than I have at RuneScape.

When I worked through the "free-loader" quests at RuneScape about a year ago, they would occasionally toss your avatar into some dungeon and force an answer to a simple puzzle, as a way to thin out the bots. It really was a weird thing, walking around seeing these folks chopping down trees for hours on end. I remember trying to strike up the occasional conversation and having no success...

I suppose I'm still on the member rolls. But it's been over a year since I last checked in.

"We all secretly believe we are right about everything and, by extension, we are all wrong." W. Storr, The Unpersuadables

I'm thinking more about the problem at a right angle. Why should bots be disallowed from playing at all?* Perhaps that's how I'd like to play RuneScape - making bots for it. I think the concept of an open client is a very worthy design goal.

Cas

* Rights for AIs!

in a MMO its a problematic topic. Botfarmer which sell lvl 80 chars etc can destroy balancing/ingame mechanics.

e.g Eve Online has a quite boring profession: mininga few people really like it since its relaxing (nice graphics, almost no user interaction, you can do something else "half AFK", chat..). I would assume that most of the miners are bots (there are no official numbers), since its an open sandbox mining gets basically worthless. You spend n hours for almost no ingame gain since you can't compete with bot armies. (-> botting kills an ingame activity in this example)

if your game has an economy, bots ruin itif your game involves interaction with other players, it adds a lot of "players" that you can't interact with, and your players have to deal with themif your game is PvP in nature, it ruins peoples games, maybe the bot can't beat the best players, but it sure as hell will ruin the noobsif your game has highscores/achievements as one motivation for your players, then bots ruin it

Even with an onlive like system, you can make bots that scan the image, and send input

If someone merely playing the game incessantly or well can ruin it then I think there's a fundamental design issue. Things like mining are only possible because of the fundamental flaw of infinite resources, for example. Grinding too - designed simply to play to the darker side of human psychology in order to cause addiction. Lots of things like this. Design a game fundamentally accounting for this sort of stuff and the whole thing is a non-issue.

If someone merely playing the game incessantly or well can ruin it then I think there's a fundamental design issue. Things like mining are only possible because of the fundamental flaw of infinite resources, for example. Grinding too - designed simply to play to the darker side of human psychology in order to cause addiction. Lots of things like this. Design a game fundamentally accounting for this sort of stuff and the whole thing is a non-issue.

Cas

You're not going to have a playerbase for very long if there is not continously stuff to do, though.

In any game where there is a component of competition involved, or comparing skill, bots will be an issuefor almost any complexity of bot there will always be people who aren't as skilled as it at playing the game

chess, go, starcraft, diablo, wow, if someone wants to he will always be able to create a bot, that can either beat people in those games, or at least assist a human player to give him an unfair advantage (aimbot, etc).

That is not a problem of game design per se, just a problem of computers being better at some stuff than we are.

Even in the minecraft example, I am sure there are people who will find it fun to grief others, and a bot that does that would help them with it.

This is so much worse than piracy for example, a pirate you can ignore him (downloaded game is not a lost sale), attempt to use other ways to monetize your game (free to play, ads, etc), but with bots, if you are unlucky enough to be targeted by those, you can't ignore them, you really have to deal with them or find a way to keep them from ruining your other players time.

If your design requires that the client be secure, then your design is just wrong. No amount of protection can protect client code, in any language, on any platform.

In terms of making the client 100% secure, I 100% agree. But being 99% secure will deter more hackers then being 10% secure. It also makes it easier to reduce the variety in bots and other attacks, due to the added complexity needed to build them. In turn, this helps to bunch all illegal players into one single target.

I've built simple bots for some small web games (as a proof of concept), and in all cases it's been because it only took me an afternoon to do it. I believe being able to do it is what motivates most bot writers to write their first bot, and if that takes weeks or months rather then hours or days, they will be far less likely to succeed.

java-gaming.org is not responsible for the content posted by its members, including references to external websites,
and other references that may or may not have a relation with our primarily
gaming and game production oriented community.
inquiries and complaints can be sent via email to the info‑account of the
company managing the website of java‑gaming.org